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(54) Computer security system 



(57) Apparatus for controlling access to a computer from peripheral equipment 1 1 . such as a VDU terminal includes a first 
part such as a lock 12 which can be connected in the iine between the equipment 11 and the computer 10 so that it 
normally isolates them . A second part e.g. a portable unit can be located, 15, reiatlve to the first part such that it can 
transmit a code to the control unit of the first part. The control unit checks the code and opens the line if a valid code is 
sensed. The lock also includes means permitting input from terminal 1 1 to the control unit of a character or characters 
relating to a password and the control unit is arranged on the basis of the input characters to generate according to a stored 
procedure a password for transmission to the computer. 
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COMPUTER SECURITY SYSTEM 

This invention relates to the security of computer 
systems . 

It is well known- in computer systems to require the 
entry of the password or passwords in order to gain 
access to the system accounts. This type of 
arrangement provides only a relatively low level of 
security since the passwords tend to become known and 
can in some cases be evaded. The present invention 
is concerned with apparatus which is designed to 
provide an improved level of security. 

According to one aspect of the present invention 
there is provided apparatus for controlling access to 
a computer from peripheral equipment such as a VDU 
terminal^ said apparatus including a first part which 
is arranged to be connected in the line between the 
equipment and the computer so that it normally 
isolates said equipment and computer, and a second 
part which can be located relative to the said first 
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par: such :hac ic can coiamunicace with the cor.crol 
uni: of said firsc pare, said second pare being 
arranged to tranamic to the control unit a code and 
said control unit being arranged co check the 
validity of said code and to open said line if a 
valid code IS sensed, said first pare also including 
means permitcmg input to said control unie of a 
characcer or characcers relating to a password and 
said concrol unit being arranged on the basis of the 
input characters to generate according to a stored 
procedure a password for transmission to the 
compucer. The communication becween the second pare 
and the control unit can be a two way communication. 

The apparatus may be arranged to transmit the 
password co the computer only if that password is 
recognised as one validly associated with the code 
transmitted by the second part. 

The entry of said character or characters may result 
in the production of two elements of the password 
which are manipulated by the control unit in 
accordance with an algorithm to produce the password. 



This arrangemenc has the advcncage chac the passwords 
used in the syscem need never become known to the 
user. What a user does is input characners which 
select a particular system account and on the basis 
of those characters the control unit generates the 
appropriate password which is only transmitted to the 
computer if it is recognised as one validly 
associated withthatuser. 

The second part may be a hand held unit insertable by 
by any user into a receiving slot or the like in the 
first part to permit communication with said control 
unit. The communication may be by way of an 
infra-red link, a radio type link, a magnetic type 
link or any other suitable means. The control unit 
may be arranged to check both that said second part is 
an authorised device and that the code transmitted to 
it is an authorised code. 

The apparatus may include a facility for disabling a 
line between the peripheral equipment and the 
computer subsequent to that line having been opened 
in response to the generation of a valid password . 
This facility may be operable when said control unit 
senses a predetermined period of inactivity on said 



pare IS no longer operacionally coupled to the firsc 
pare buc said peripheral equipment is noc logged off, 
or when said control unit senses that said peripheral 
equipment has been logged off but said second part is 
still operationally coupled to the control unit. 

According to another aspect of the present invencion 
there is provided apparatus for controlling access to 
a computer from a peripheral equipment such as a 
vDU terminal, said apparatus including a firsc part 
which is arranged to be connected m the line between 
the equipment and the computer so that it normally 
isolates said equipment and computer, and the second 
part which can be located relative to said first part 
so that it can communicate with a control unit of 
said first part, said second part being arranged to 
transmit to the control unit a code and said control 
unit being arranged to check the validity of said 
code to open said line if a valid code is sensed, 
and wherein said second part includes a facility for 
disabling the line between the peripheral equipment 
and computer subsequent to that line having been 
opened. The communication between the second part 
and the control unit can be a two way communication. 



Said faciiicy may be operable when said concrol unit 
senses a predetermined period of inactivity on said 
line, when said control unit senses that said second 
part is no longer operationally coupled to said 
control unit but that said peripheral equipment is 
not logged off, or when said concrol unit senses that 
said peripheral equipment has been logged off and 
that said second part is scill operationally coupled 
to the control, unit. 

The invention will be described now by way of example 
only with particular reference to the accompanying 
drawings. In the drawings: 

Figure 1 is a block schematic diagram of a computer 
system incorporating security apparatus in accordance 
with the preaenc invention; 

Figure 2 is a block schematic diagram of a securi t y 
apparatus in accordance with the present invention, and 

Figure 3 is a block diagram illustracmg the function 
of the apparatus. 
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neremnc zo ngurs 1 a cocr.pucer sysce-n cospnses a 
nam compucer liiuscraced au 10, a ceroimal 11, anc 
security apparatus hereinafcer referred to as a lock 
12 which IS connecced m che line becween the 
cerniinal 11 and compucer 10. The lock 12 has a 
buczon 14 whose function will be referred to later. 
The lock 12 also has a slot 15 which can receive a 
small hand held unit which will hereinafter be 
referred to as a commander. 

The commander can communicate with circuitry m the 
lock 12 by any suitable means. In the present 
embodimenc the communication is by means of an 
infra-red link but ic will be appreciated that other 
types of arrangement could be used such as magnetic 
cards or radio tags. The lock 12 also incorporates a 
bU22er which acts as an alarm as will be decribed 
hereinafter. Also shown on Figure 1 is a security 
computer 16 . 

Referring now to Figure 2 the lock is a processor 
based device and includes an aut heni cati on module 20 
and a control module 21 both of which are 
micro-processor based devices. The commander slot is 
shown at 15 and is terminated by an infra-red module 
16 which is connected to the authencicat ion module 



20. The butcon 14 is connected to che concrci moduie 
which Itself has connections both to the cerminal 11 
and to the compucer 10, It also has a connection to 
the securicy computer 16. A micro switch 22 is 
provided adjacent the slot 15 and is connected 
to the control module 21. The unit includes a power 
supply 24 for supplying the necessary power to the 
authentication module and control module. 

The function of the lock 12 in conjunction with a 
commander is to control access to the computer 10 
from the terminal 11. 

In use on power-up the lock II assumes a locked state 
in which the terminal 11 and computer 10 are isolated 
via the control module 21. A user wishing to access 
the computer 10 can only do so by making use of his 
commander unit.. Initially the commander is inserted 
into the commander slot 15. In this position the 
commander can communicate with the authentication 
module 20 by way of the module 16. The 
authentication module initially carries out a check 
to ensure that the commander unit inserted is an 
authorised unit. Information regarding those 
commander units which are authorised is stored within 
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:he a-J-.hencicacion nicduie 20 zo enaois it zo rarry 
3UC chis funccion. In addizion co using a vai^d 
comniander zhe user has to encer via che terminal 
keyboard a personal i dene i f icac i on number or code 
which is unique zo chac user. This number is 
communicated to the auchencicacion module which 
checxs cnac it is the number of an auchorised user 
associated with chat particular commander. The 
authentication module has previously been provided 
with that number as an authorised number. If the 
correct identification number is entered then the 
control module 21 is instructed to open the link 
between the terminal 11 and the computer 10 so that 
the user wishing to gain access can transmit 
characters from the terminal to the computer although 
cannot gain access to an account at that stage. 

The user then has to enter a password in order to 
access an account of the the computer 10. The 
present arrangement does not make use of a 
conventional scheme for entering passwords. The 
password itself is not known to a user of the system. 
The system makes use of personal and system 
passwords. There can be a number of personal 
passwords and a number of system passwords. The user 



iniciaiiy- operates the butcon 14 on che lock 12 and 
in response co this a message is displayed on the 
terminal 11 which prompts the user to select either a 
personal or system password. After selecting the 
type the user has to enter a number which in the case 
of a personal password will be a single character and 
the case of a system password will be a two digit 
number. On entry of a valid password number a word 
known as a password tag is displayed on the terminal 
screen and the user is invited to either accept or 
rsjecc this tag by pressing the return key. If the 
user accepts the tag then an algorithm stored within 
the concrol circuitry of the lock 12 generates a 
password for transmission to the computer 10. This* 
password generation involves manipulation of a 
password seed and a password base. If the 
password is recognised as one which the user is 
encitled to use zhe user will be allowed access to 
the appropriate account within the computer. If not 
then access, will be refused. Thus it will be seen 
that whilst che two elements required co generate a 
password may be known the actual password 
transmitted to the computer is not known and can be 
maintained completely secret. 
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During access co an sccounc m zhe computer 10 che 
user 1.3 required to recain his commander m che sioc 
15. If the user removes his commander wichouc 
logging off this is sensed by che control circuicry 
of the lock 12 and a message is displayed on the 
terminal 11 requesting replacement of the commander 
and che warning buszer is also sounded. if zhe 
commander is noc replaced within a given cime which 
has previously been selected by the system manager 
che control circuitry of che lock 12 attempts to log 
che user off aucomacicali y . if this is successful 
the lock returns to ics locked state so that the user 
can no longer access the computer 10. if automatic 
log-off is unsuccessful the lock alarm sounds for a 
prograraabie time and sends a message to the security 
computer 16 to indicate that the automatic logoff has 
been unsuccessful. The users name and the commander 
number and the reason for the error condition are 
displayed on the terminal and repeated every ten 
seconds. The user must then replace his commander 
and complete the log-off procedure in order to remove 
this error condition. Alternatively a security 
officer may load a device in the slot 15 to correct 
the situation. 



Automatic iog-off is iniciated by the concroi unic of 
the lock 12 transmitting a log-off command zo the 
computer 10. The concroi unit then awaits a response 
from the computer following which it generates a 
further signal or signals to complete the log--of f . 

If the user replaces his commander in response to the 
warning referred to above he can again gain access to 
the computer by operating his commander and insercing 
his identification number as in the manner described 
above . 

The lock also incorporates other functions operable 
in connection with log-off. These are as follows. 
If the user removes his commander immediately after a 
valid log-off has been recognised by the lock the 
lock checks that the user has logged off correctlv. 
If the lock identifies a correct logoff then it 
assumes the condition in which the new user can gain 
access to the system in the manner described above. 
If the log-off is found to be incomplete, an 
automatic log-off procedure will be attempted in the 
manner described above. 



a valid log-off command is dececced by zhe lock 
and :his is followed by e pre-seiecced period of 
inaccivicy a shore warning cone is generaced. If 
following Cbis zhe user does not encer any further 
mformacion withm a cime specified by the system 
manager the lock carries out a check co see whether 
the user has logged off. if this is not the case the 
lock will actempc automatic logoff m the manner 
described above. If however, the user has already 
logged off an alarm is sounded and a message produced 
CO indicate that the user has logged off but left the 
commander in the slot 15. When the commander is 
removed the alarm is cancelled and the lock assumes a 
condition m which it is ready to receive the next 
user . 



If whilst logged on m the manner described above the 
lock detects a long period of inactivity on the line 
between the terminal and the main computer the user 
is requested to activate his commander and enter his 
identification number. If this operation is 
performed correctly the link between the terminal 11 
and the computer 10 is maintained so that the user 
may continue interaction with the computer. If 
however the commander is not operated or an incorrect 



idenc i: icacion number is encered che lock again 
accempcs to logoff the user. If this is unsuccessful 
an aiar^i condition occurs. If however the log-off is 
successful an alarm is sounded to indicate that the 
user has left the commander in the slot 15. Again 
removal of the commander will cancel the alarm so 
that the lock again assumes a state m which it is 
ready to receive the next commander. Timing of 
automatic log-off is controlled by a system of timeoucs 
which can configured to suit each particular 
installation . 

It will be appreciated thac generation of system 
passwords and information relating to valid 
commanders will be under the control of a security 
manager. The security manager can enter data 
relevant to these parameters into the authentication 
and control modules 20,21 using a special device 
known as a loader. Thus at any time the securicy 
manager can introduce details of a newly authorised 
commander or can delete details of a commander which 
is no longer to be used. Instead of using the loader 
it is possible to use an arrangement in which the * 
security manager configures the system from a remote 
location . 
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:c will be apprsciacec cnat zhs syscea; software 
mcorporaces a piursiicy of cimeouc for example co 
concrol the ciming of automacic iog-offs. These 
timeouts are user configurable. 

An importanc feature of the present systea. is the 
password facility. in the present embodiment up to 
15 system passwords may be defined. A list of the 
passwords accessible to each user is entered when a 
new commander is introduced and may be edited fay 
selecting a number from a main menu. Each system 
password has its own tag and is derived from its 
own base and the system seed. The tag is a string of 
characters which are displayed after the number of 
the password has been chosen by the user as a final 
check that this is the account required. For example 
a tag for a password used to gain entry to a mailing 
list may be HAIL LIST. The base is also a string of 
characters. When the password has been chosen and 
the tag determined to be correct the base is combined 
with the system seed and the resulting password sent 
to the mam computer as described above. The system 
seed is also a string of characters and these can be 
set to a number of different characters values to 
give more distinct passwords. By changing the 



password seed che securicy manager can simuicaneousiy 
changes ail system passwords. The lock allows 
passwords to be generated from the previous seed 
facilitating the mechanism of changing passwords. 

User passwords, are derived in a similar manner up to 
4 for each user. Each user password has its own tag 
and base, each user has his own seed. 

As a further feature which will provide an added level 
of security a plug in encryption unit can be provided 
between the terminal and computer. 
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1. Apparatus for controlling access to a computer 

5 from peripheral equipment such as a VDU terminal, 

said apparatus including a first part which is 
arranged to be connected in the line between the 
equipment and the computer so that it normally 
isolates said equipment and computer^ and a second 

10 part which can be located relative to the said 

first part such that it can communicate with ^the 
control unit of said first partr said second part 
being arranged to transmit to the control unit a 
code and said control unit being arranged to check 

15 the validity of said code and to open said line if 

a valid code is sensed, said first part also 
including means permitting input to said control 
unit of a character or characters relating to a 
password and said control unit being arranged on 

20 the basis of the input characters to generate 

according to a stored procedure a password for 
transmission to the computer. 



2. Apparatus as claimed in claim 1, wherein the 
communication between the second part and the 
control unit is a two way communication. 

3. Apparatus as claimed in claim 1 or claim 2, 
wherein the apparatus is arranged to transmit the 
password to the computer only if that password is 
recognised as one validly associated with the code 
transmitted by the second part. 

4. Apparatus as claimed in any preceding claim r 
wherein the entry of said character or characters 
results in the production of two elements of the 
password which are manipulated by the control unit 
in accordance with an algorithm to produce the 
password . 

5» Apparatus as claimed in any preceding claim/ 
wherein the second part is a hand held unit 
insertable by by any user into a receiving slot or 
the like in the first part to permit communication 
with said control unit. 



6. Apparatus as claimed in any preceding claim, 
wherein the communication is by way of an infra-red 
link, or a a radio type link, or a magnetic type 
link • 

7. Apparatus as claimed in any preceding claim, 
wherein the control unit is arranged to check both 
that said second part is an authorised device and 
that the code transmitted to it is an authorised 
code . 

8. Apparatus as claimed in any preceding claim, 
including a facility for disabling a line between 
the peripheral equipment and the computer 
subsequent to that line having been opened in 
response to the generation of a valid password. 

9. Apparatus for controlling access to a computer 
from a peripheral equipment such as a VDU terminal, 
said apparatus including a first part which is 
arranged to be connected in the line between the 
equipment and the computer so that it normally 
isolates said equipment and computer, and the 
second part which can be located relative to said 
first part so that it can communicate with a 



control unit of said first part, said second part 
being arranged to transmit to the control unit a 
code and said control unit being arranged to check 
the validity of said code to open said line if a 
valid code is sensed, and wherein said second part 
includes a facility for disabling the line between 
the peripheral equipment and computer subsequent to 
that line having been opened. 

10. Apparatus as claimed in claim 9, wherein the 
communication between the second part and the 
control unit is a two way communication. 

11. Apparatus as claimed in claim 9 or claim 10, 
wherein said facility is operable when said control 
unit senses a predetermined period of inactivity on 
said line, when said control unit senses that said 
second part is no longer operationally coupled to 
said control unit but that said peripheral 
equipment is not logged off, or when said control 
unit senses that said peripheral equipment has been 
logged off and that said second part is still 
operationally coupled to the control unit. 
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12. Apparatus for controlling access to a computer 
substantially as hereinbefore described with 
reference to and as shown in the accompanying 
drawings • 



